[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Git][xorg-team/wayland/xwayland][debian-unstable] 4 commits: xkb: Fix buffer overflow in _XkbSetCompatMap()

Title: GitLab

Timo Aaltonen pushed to branch debian-unstable at X Strike Force / wayland / xwayland

Commits:

  • 26120df7
    by Matthieu Herrb at 2024-10-29T16:26:59+01:00 
    xkb: Fix buffer overflow in _XkbSetCompatMap()

The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.

However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.

This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).

CVE-2024-9632, ZDI-CAN-24756

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: José Expósito <jexposit@redhat.com>
(cherry picked from commit 85b776571487f52e756f68a069c768757369bfe3)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1735>
  • 3bfef8d7
    by José Expósito at 2024-10-29T16:27:04+01:00 
    Bump version to 24.1.4

Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1735>
  • 51d00a81
    by Timo Aaltonen at 2024-10-30T12:00:51+02:00 
    Merge branch 'upstream-unstable' into debian-unstable
  • edb0ccd1
    by Timo Aaltonen at 2024-10-30T12:03:06+02:00 
    releasing package xwayland version 2:24.1.4-1

3 changed files:

Changes:

  • debian/changelog
    1 
    +xwayland (2:24.1.4-1) unstable; urgency=medium
    2 
    +
    3 
    +  * New upstream release
    4 
    +    + CVE-2024-9632: Heap-based buffer overflow privilege escalation in
    5 
    +      _XkbSetCompatMap (closes: #1086244)
    6 
    +
    7 
    + -- Timo Aaltonen <tjaalton@debian.org>  Wed, 30 Oct 2024 12:01:08 +0200
    8 
    +
    1 9 
     xwayland (2:24.1.3-1) unstable; urgency=medium
    2 10
    3 11 
       * New upstream release.

  • meson.build
    ... ... @@ -3,10 +3,10 @@ project('xwayland', 'c',
    3 3 
                 'buildtype=debugoptimized',
    4 4 
                 'c_std=gnu99',
    5 5 
             ],
    6 
    -        version: '24.1.3',
    6 
    +        version: '24.1.4',
    7 7 
             meson_version: '>= 0.56.0',
    8 8 
     )
    9 
    -release_date = '2024-10-02'
    9 
    +release_date = '2024-10-29'
    10 10
    11 11 
     add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc'])
    12 12 
     cc = meson.get_compiler('c')

  • xkb/xkb.c
    ... ... @@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
    2990 2990 
             XkbSymInterpretPtr sym;
    2991 2991 
             unsigned int skipped = 0;
    2992 2992
    2993 
    -        if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
    2994 
    -            compat->num_si = req->firstSI + req->nSI;
    2993 
    +        if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
    2994 
    +            compat->num_si = compat->size_si = req->firstSI + req->nSI;
    2995 2995 
                 compat->sym_interpret = reallocarray(compat->sym_interpret,
    2996 
    -                                                 compat->num_si,
    2996 
    +                                                 compat->size_si,
    2997 2997 
                                                      sizeof(XkbSymInterpretRec));
    2998 2998 
                 if (!compat->sym_interpret) {
    2999 
    -                compat->num_si = 0;
    2999 
    +                compat->num_si = compat->size_si = 0;
    3000 3000 
                     return BadAlloc;
    3001 3001 
                 }
    3002 3002 
             }


    • View it on GitLab.
    You're receiving this email because of your account on salsa.debian.org. Manage all notifications · Help

    Reply to: